New in 1.2.0 Interesting stuff for end users to know: - Now handles TAI64 timestamped logfiles ala D.J.Bernstien's multilog package. In other words, you can "cat /var/log/qmail/current | logtool" and get output like you would expect from doing the same with a Syslog. - Now does specialized output for some events, such as those generated by snort and iptables (only in HTML, ANSI, and ASCII modes though). - Now handles completely unknown and unformatted input. (will colorize it and or ignore it based on the usual REGEX's, but will not try to put it into formatted or colorized or other kinds of colums) - Will (hopefully) never leave you wondering where your data went if you feed it input that's not strictly a syslog-ish format. - Now (hopefully) will never barf uppon being unable to read a config or regex (or other) file. - Now does hostname lookup's for iptables and snort (and possibly other) events in your syslog's. - Please see 'logtool -h' for a new listing of the command line. In truth, all old options from 1.0.7 have been kept in place for compatability with any scripts you may have written using said, but I hope you make note and update your scripts and such to avoid any of the depreciated options (depreciated options are not listed :). Someday, I'll remove the depreciated options entirely. You have been warned! Interesting stuff for the more technicly inclined: - Oh wow, where to start? Sooo many changes to the internals, that you might as well sit down and commence to reading the code and comments, as big big big chunks of it hardly resemble anything that came before. If you don't believe me, do a diff with a logtool-1.0.x tree. :) However, I suppose I would be remiss if I didn't give you at least a few of the highlights. - src/Makefile has changed quite a bit to (hopefully) be more dynamic in how it does the build. (IE: I've discovered some new macro's :) - A whole new environment based config file reader has been implemented. Syntax in config files is now MUCH more lenient on users, and lends itself better to the following new feature. See readconf.c. - See logtool.h for the new data struct's. Very little remains of the old variables and structs and such. - Speaking of those structs, we now dynamicly handle REGEX's from file so that there's no limits based on buffer size (other than available memory). - Speaking of REGEX's, we now compile the strings before-hand, and just call regex() directly instead of regcomp() and free()'ing every time. This spares a good deal of CPU overhead, which comes in handy, as there is so much more going on that even with all the efficiency improvements, we're slower than the old logtool by a few percentage points (thankfully, ASCII parsing in C is fast enough, that you should notice very little difference without using 'time' :) - Note the following two terms: "Output Modules" and "Event Modules". They are separate things; where once they were not. :) - Moved to a modular system, whereby we can do customized colorizations in output depending on what kind of messages are input. (current modules are: UNKNOWN, SYSLOG, SNORT_SYSLOG, and IPTABLES_SYSLOG). The modules in essence return a string in event.pmsg with embedded \033's, which are parsed into whatever color format a given output module might needs. NOTE: Modules will take config directives in the config file instead of the command line. The cmdline switches for this program are getting just too ridiculous. NOTE: CSV output module isn't really smart enough to know what to do with modules just yet, so all it still does is syslog-like format. NOTE: I was very bad, and used \033's that aren't standard to any other known format, just because it seemed like the thing to do, and it was easier than reading up on another encoding method :) - Relating to modules, the internal code has changed regarding parsing of events. Instead of each module doing some of it's own output setup, the various modules are now responsible for doing the parsing, and the output code for the various output formats just parses what the modules generate. This is simpler to write output modules, and harder to code event modules. - Changed a lot of the strncpy() calls to strcpy() calls in the name of efficiency and performance. Calls which rely on user input remain as strncpy(); however, to (we hope) avoid crashes. :) - A bunch of other stuff I'm no doubt not remembering (or going to). I hate to admit it, but I've reached the point where I can't be bothered to do much documentation, and you should just "use the source Luke" if you need to know/do more with logtool than is immediately apparent without mucking with the source. - Best of luck, and God bless you all.